feat: add SAML options and service type for OpenSearch

RoseSecurity · RoseSecurity · commit 5b9b15fe67bb · 2025-10-27T10:13:41.000-04:00
- Added `aws_service_type` variable to support both Elasticsearch and
  OpenSearch deployments, with validation and default for backward
  compatibility.
- Introduced `elasticsearch_saml_options` variable and resource to manage
  SAML authentication for OpenSearch domains.
- Updated outputs to be conditional on `local.enabled`.
- Added `elasticsearch_log_cleanup_enabled` variable for log cleanup Lambda.
- Improved password generation logic for compatibility.
diff --git a/src/main.tf b/src/main.tf
@@ -9,11 +9,10 @@ locals {
   elasticsearch_domain_endpoint = format(local.elasticsearch_endpoint_format, "elasticsearch_domain_endpoint")
   elasticsearch_kibana_endpoint = format(local.elasticsearch_endpoint_format, "elasticsearch_kibana_endpoint")
   elasticsearch_admin_password  = format(local.elasticsearch_endpoint_format, "password")
-}
 
-locals {
   create_password        = local.enabled && length(var.elasticsearch_password) == 0
-  elasticsearch_password = local.create_password ? join("", random_password.elasticsearch_password.*.result) : var.elasticsearch_password
+  elasticsearch_password = local.create_password ? one(random_password.elasticsearch_password[*].result) : var.elasticsearch_password
+  saml_options_enabled   = local.enabled && var.elasticsearch_saml_options.enabled
 }
 
 module "elasticsearch" {
@@ -25,6 +24,7 @@ module "elasticsearch" {
   subnet_ids                     = local.vpc_private_subnet_ids
   zone_awareness_enabled         = length(local.vpc_private_subnet_ids) > 1 ? true : false
   elasticsearch_version          = var.elasticsearch_version
+  aws_service_type               = var.aws_service_type
   instance_type                  = var.instance_type
   instance_count                 = length(local.vpc_private_subnet_ids)
   availability_zone_count        = length(local.vpc_private_subnet_ids)
@@ -56,6 +56,20 @@ module "elasticsearch" {
   context = module.this.context
 }
 
+resource "aws_opensearch_domain_saml_options" "this" {
+  count = local.saml_options_enabled ? 1 : 0
+
+  domain_name = module.elasticsearch.domain_name
+
+  saml_options {
+    enabled = var.elasticsearch_saml_options.enabled
+    idp {
+      entity_id        = var.elasticsearch_saml_options.entity_id
+      metadata_content = var.elasticsearch_saml_options.metadata_content
+    }
+  }
+}
+
 resource "random_password" "elasticsearch_password" {
   count = local.create_password ? 1 : 0
   # character length
@@ -104,6 +118,8 @@ module "elasticsearch_log_cleanup" {
   source  = "cloudposse/lambda-elasticsearch-cleanup/aws"
   version = "0.16.1"
 
+  enabled = var.elasticsearch_log_cleanup_enabled
+
   es_endpoint          = module.elasticsearch.domain_endpoint
   es_domain_arn        = module.elasticsearch.domain_arn
   es_security_group_id = module.elasticsearch.security_group_id
diff --git a/src/outputs.tf b/src/outputs.tf
@@ -1,49 +1,54 @@
 output "security_group_id" {
-  value       = module.elasticsearch.security_group_id
+  value       = local.enabled ? module.elasticsearch.security_group_id : null
   description = "Security Group ID to control access to the Elasticsearch domain"
 }
 
 output "domain_arn" {
-  value       = module.elasticsearch.domain_arn
+  value       = local.enabled ? module.elasticsearch.domain_arn : null
   description = "ARN of the Elasticsearch domain"
 }
 
 output "domain_id" {
-  value       = module.elasticsearch.domain_id
+  value       = local.enabled ? module.elasticsearch.domain_id : null
   description = "Unique identifier for the Elasticsearch domain"
 }
 
+output "domain_name" {
+  value       = local.enabled ? module.elasticsearch.domain_name : null
+  description = "Name of the Elasticsearch domain"
+}
+
 output "domain_endpoint" {
-  value       = module.elasticsearch.domain_endpoint
+  value       = local.enabled ? module.elasticsearch.domain_endpoint : null
   description = "Domain-specific endpoint used to submit index, search, and data upload requests"
 }
 
 output "kibana_endpoint" {
-  value       = module.elasticsearch.kibana_endpoint
+  value       = local.enabled ? module.elasticsearch.kibana_endpoint : null
   description = "Domain-specific endpoint for Kibana without https scheme"
 }
 
 output "domain_hostname" {
-  value       = module.elasticsearch.domain_hostname
+  value       = local.enabled ? module.elasticsearch.domain_hostname : null
   description = "Elasticsearch domain hostname to submit index, search, and data upload requests"
 }
 
 output "kibana_hostname" {
-  value       = module.elasticsearch.kibana_hostname
+  value       = local.enabled ? module.elasticsearch.kibana_hostname : null
   description = "Kibana hostname"
 }
 
 output "elasticsearch_user_iam_role_name" {
-  value       = module.elasticsearch.elasticsearch_user_iam_role_name
+  value       = local.enabled ? module.elasticsearch.elasticsearch_user_iam_role_name : null
   description = "The name of the IAM role to allow access to Elasticsearch cluster"
 }
 
 output "elasticsearch_user_iam_role_arn" {
-  value       = module.elasticsearch.elasticsearch_user_iam_role_arn
+  value       = local.enabled ? module.elasticsearch.elasticsearch_user_iam_role_arn : null
   description = "The ARN of the IAM role to allow access to Elasticsearch cluster"
 }
 
 output "master_password_ssm_key" {
-  value       = local.elasticsearch_admin_password
+  value       = local.enabled ? local.elasticsearch_admin_password : null
   description = "SSM key of Elasticsearch master password"
 }
diff --git a/src/variables.tf b/src/variables.tf
@@ -8,9 +8,21 @@ variable "instance_type" {
   description = "The type of the instance"
 }
 
+variable "aws_service_type" {
+  type        = string
+  description = "The type of AWS service to deploy (`elasticsearch` or `opensearch`)."
+  # For backwards comptibility we default to elasticsearch
+  default = "elasticsearch"
+
+  validation {
+    condition     = contains(["elasticsearch", "opensearch"], var.aws_service_type)
+    error_message = "Value can only be one of `elasticsearch` or `opensearch`."
+  }
+}
+
 variable "elasticsearch_version" {
   type        = string
-  description = "Version of Elasticsearch to deploy (_e.g._ `7.1`, `6.8`, `6.7`, `6.5`, `6.4`, `6.3`, `6.2`, `6.0`, `5.6`, `5.5`, `5.3`, `5.1`, `2.3`, `1.5`"
+  description = "Version of Elasticsearch or Opensearch to deploy (_e.g._ `7.1`, `6.8`, `6.7`, `6.5`, `6.4`, `6.3`, `6.2`, `6.0`, `5.6`, `5.5`, `5.3`, `5.1`, `2.3`, `1.5`"
 }
 
 variable "encrypt_at_rest_enabled" {
@@ -100,6 +112,28 @@ variable "elasticsearch_password" {
   }
 }
 
+variable "elasticsearch_saml_options" {
+  type = object({
+    enabled          = optional(bool, false)
+    entity_id        = optional(string)
+    metadata_content = optional(string)
+  })
+  description = <<-EOT
+ Manages SAML authentication options for an AWS OpenSearch Domain
+
+ enabled: Whether to enable SAML authentication for the OpenSearch Domain
+ entity_id: The entity ID of the IdP
+ metadata_content: The metadata of the IdP
+ EOT
+  default     = {}
+}
+
+variable "elasticsearch_log_cleanup_enabled" {
+  type        = bool
+  description = "Whether to enable Elasticsearch log cleanup Lambda"
+  default     = true
+}
+
 variable "dns_delegated_environment_name" {
   type        = string
   description = "The name of the environment where the `dns-delegated` component is deployed"
